Follow:

You have been re-routed to the Trojan:Win32/Enchanim write up because Trojan%3aWin32%2fEnchanim has been renamed to Trojan:Win32/Enchanim
 

Trojan:Win32/Enchanim


Trojan:Win32/Enchanim is a trojan that attempts to stop multiple security-related processes for the purpose of downloading and running other malicious code such as Worm:Win32/Gamarue.F.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Enchanim is a trojan that attempts to stop multiple security-related processes for the purpose of downloading and running other malicious code such as Worm:Win32/Gamarue.F.

Installation

This trojan is installed by other malware and is present as a randomly named file in the Windows system folder. The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/Enchanim executes, it inject its code into running processes, including the following, for example:

  • csrss.exe
  • explorer.exe
  • lsass.exe
  • svchost.exe
Payload
Terminates processes
Trojan:Win32/Enchanim attempts to stop the following processes, many of which are security-related:
  • cfp.exe
  • avp.exe
  • kaspersky.exe
  • op_mon.exe
  • mcafee.exe
  • mcagent.exe
  • mcshield.exe
  • mctray.exe
  • mcsvhost.exe
  • mfevtps.exe
  • mfefire.exe
  • zonealarm.exe
  • egui.exe
  • nod32.exe
  • ekrn.exe
  • nod32kui.exe
  • msseces.exe
  • spiderui.exe
  • drwagntd.exe
  • drwagnui.exe
  • spiderml.exe
  • spidernt.exe
  • avscan.exe
  • avnotify.exe
  • avgnt.exe
  • ashdisp.exe
  • AVGIDSMonitor.exe
  • avgnsx.exe
  • avgcsrvx.exe
  • avgrsx.exe
  • avgw.exe
  • avgamsvr.exe
  • avg.exe
  • avgwdsvc
  • norton.exe
  • ccsvchst.exe
  • psctrls.exe
  • pavfnsvr.exe
  • pshost.exe
  • avengine.exe
Downloads other malware
Trojan:Win32/Enchanim may contact a remote host at 188.190.98.166 using port 80 to download other malware, such as Worm:Win32/Gamarue.F.
This trojan was also observed to contact a remote host at 31.186.102.156 using port 80.

Analysis by Jeong Mun


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • Certain security programs are disabled after running the malware
  • The presence of a file named "7af3996f" in the %TEMP% folder

Prevention


Alert level: Severe
First detected by definition: 1.119.1228.0
Latest detected by definition: 1.187.2172.0 and higher
First detected on: Feb 02, 2012
This entry was first published on: Feb 02, 2012
This entry was updated on: Jul 09, 2012

This threat is also detected as:
  • Trojan.Win32.Menti.noix (Kaspersky)
  • WORM_SLENFBOT.JX (Trend Micro)